MSc in Information Systems Part Time, 2014-2016

Course: Critical Information and Communication Infrastructure Protection

Man-in-the-browser attacks

Christofilos Konstantinos (MM4140023)

Gerardos Pavlos (MM4140001)
Pantazaras Sokratis (MM4140013)

March 13th, 2015

Contents
1.

Introduction.......................................................................................................................................... 2

2.

From M to B .......................................................................................................................................... 3

3.

Malware distribution overview ........................................................................................................ 4

4.

The Man-in-the-browser (MITB) attack .......................................................................................... 6

4.1

Points of attack ................................................................................................................................ 6

4.2

MITB attack step-by-step............................................................................................................... 9

4.3

Famous MITB malware ................................................................................................................ 10

4.4

What makes MITB attack difficult to defend from ................................................................ 10

4.5

Defending against MITB attacks ............................................................................................... 11

5.

Variants of MITB ................................................................................................................................ 14

5.1

Clickjacking ..................................................................................................................................... 14

5.2

Boy-in-the-browser (BITB) ........................................................................................................... 16

5.3

Man-in-the-Mobile (MITMO) ....................................................................................................... 16

Conclusions ........................................................................................................................................ 18

References .......................................................................................................................................... 19

1 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras

1. Introduction
Internet has transformed the global economy and revolutionized the way that people interact,
communicate and exchange information and goods.
Users are able to easily and quickly use any kind of personal device (smartphones, tablets, laptops)
in order to access online services, which also provide two-way communication; not only do they
update their users but they also get updated from them (Web 2.0).
One of the most commonly used services globally is Internet banking (e-banking).
As of April 2012, around 423 million people worldwide accessed online banking sites, reaching 28.7
percent of total Internet users1. Only for North America and Europe, this percentage was 45% and
37.8% respectively.

Graph source: statista.com

The statistics presented above allow us to understand the importance and usability of e-banking to
Internet users.
They also allow us to understand why cybercriminals are interested in exploiting these services. As
more and more people are accessing online banking services, they become potential targets to
those who have the technical expertise and audacity to swindle them and gain personal financial
benefit.

http://www.statista.com/statistics/233284/development-of-global-online-banking-penetration/

2 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras

2. From M to B
One of the most well-known types of attack against financial institutions is the Man-in-the-Middle
(MITM) attack.
This method is based on the attackers ability to intercept a legitimate users session with a bank's
web server and use their machine (i.e. the attackers) as a proxy. All data would then pass through
their computer, giving them complete control over it and allowing tampering without either ends
knowledge.

This method has been used for quite some time from cybercriminals. However, I.T. security
engineers have managed to increase their defensive measures by the use of device identification
and Risk Engines (REs).
Risk engines analyse information related to every user session, like unique device IDs (UDIDs),
login times and session duration. All data are then combined and analysed in order to evaluate
whether such activity is reasonable/typical for that specific user (behavioural profile). If the
analysis produces an alert, then the issue is escalated for further inspection.
The above factors - technology (risk engines), experience (previous incidents) and maturity of
Internet users (it is easier for todays average user to identify a fraudulent website than it was
some years ago), have contributed in making MITM attacks very difficult to execute successfully.
For this reason, cybercriminals started to move towards a more advanced and promising method.
Instead of hijacking user sessions at the network layer (during transmission of data), attackers
have begun to target directly the users application layer, their web browser.

3 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras

Trojan horses which are distributed through various well-known methods (email attachments,
hyperlinks on social networks or hijacked websites) install extensions on web browsers. These
extensions are able to:
-

Modify what the user sees on their computer (DOM manipulation),

Modify and/or redirect original user data before encryption and transmission takes place.
This ensures the data sent to the web banking server seems legitimate and therefore fraud
cannot be detected.

Modify the returning transaction data upon server response, so as to present information
to the user exactly as it expected to look.

3. Malware distribution overview

Internet provides a wealth of information and services to every user around the world. Of course,
some of the available services relate to non-legitimate purposes. Underground communities have
created well-organized, online markets where users can obtain malicious software for their needs
(malware-as-a-Service - MaaS).
Before proceeding with the details of how a MITB attack takes place, we will describe how malware
in general is distributed to computers of unsuspected users all around the world.
Malware distribution involves three parts:

Malware distribution - parties involved

a) Infection Point
The infection point is the method by which the malware is distributed to the target
machines. There are several distribution methods like:

4 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras

A hijacked website which automatically downloads and installs a trojan on the users
computer (drive-by download).

An email attachment which contains executable code and runs when the user opens it.

A USB key which contains the malware and runs when the users connects it to their
computer (autorun.inf).

A PDF document or a PowerPoint presentation with embedded script code.

b) Command and Control (C&C) Server

Once the malware has been installed on the computer, instructions must be provided from
the attacker about the exact actions that will be performed. These instructions are provided
through configuration file and are distributed on the target machines from a Command &
Control (C&C) server. they contain information such as:

Website URLs that need to be monitored and intercepted,

Custom form fields that need to be added/changed per URL,

Drop server locations, where all the intercepted data will be sent.

The configuration files are usually encrypted/obfuscated, so as to be difficult to examine

their content, and can be easily updated from the C&C server with new information, e.g.
new e-banking URLs, updated form fields and drop servers.
c) Drop Server
The drop server is the location where all collected data from the target computers are sent.
This could be a hijacked machine whose administrator/owner has no knowledge that is
being used by cybercriminals, or the same C&C server that is used by the attackers.

5 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras

4. The Man-in-the-browser (MITB) attack

A web browser is the client-side application which communicates with remote web servers,
downloads content and renders it on the users screen.
The main concept behind the MITB attack is that the rendering of information received from the
web server (i.e. how the webpage will be displayed DOM tree) can be edited/manipulated on-thefly, in order to customize/improve the users experience, e.g. remove ads/banners or change
colours (augmented browsing).
Although there is nothing wrong with this concept, the exact same method can be used for
malicious purposes; the mechanisms that can change the layout or the colors of a web page can
also change the values of submitted forms in the background, while displaying whatever
information their creator wants to in the users screen.

4.1 Points of attack

Extra functionality can be inserted into web browsers in a variety of ways, depending on the
browser type. Extra functionality usually aims at enhancing user experience, but fraudsters can
use this capability to take control of the browser. Ways to incorporate new functions into the
browser include:

Browser Helper Objects (BHOs)

Browser helper objects are dynamically-loaded libraries (DLLs), specifically designed for
Microsofts Internet Explorer with access to the Document Object Model (DOM). They are
activated on browser start-up and provide additional functionality, e.g. the Adobe Acrobat
plugin is a BHO which allows opening PDF files directly from the web browser.

6 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras

List of Add-ons (BHOs) in Internet Explorer

BHOs have been extensively used by cybercriminals due to the fact that they are easily
developed and run with high privileges (System account).

Extensions

Similar functionality to BHOs for other browsers like Chrome, Firefox or Opera is carried
out from extensions. Some of them, like Greasemonkey for Firefox (www.greasespot.net)
act as a placeholder for custom-made user scripts. That means that Greasemonkey does
not perform a specific action - like Adobe Acrobat plugin for PDF files - but instead allows
any user script to run with its custom functionality like a dynamic/reprogrammable
extension.

List of extensions in Google Chrome

7 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras

API hooking

API hooking is a complex technique which allows modification of API calls between an
application (.exe) and the DLLs it dynamically loads - whether application or system.
For example, on Windows machines, the Windows Internet API (wininet.dll) enables
applications to interact and access Internet resources through HTTP and FTP protocols.
Malware installed on a browser can - once activated - hook to various functions of
wininet.dll,

e.g.

InternetConnect(),

HttpSendRequest(),

HttpOpenRequest(),

InternetReadFile() and modify the original calls.

API hooking on wininet.dll

AJAX sniffing

Another technique used for MITB attacks is AJAX sniffing. The approach this time is to hit
the web server in order to collect or alter data on the client side.
Web technologies have evolved rapidly in the last years, and are now able to provide high
quality services with very smooth and fast functionality. In order for users to enjoy the
Web 2.0 services, a hack was invented in order to bypass the HTTP drawbacks, like the
synchronous way of requests.
A technology called Asynchronous JavaScript and XML (AJAX) is commonly used which
makes the navigation and use of a web application look and feel more like a desktop
application.
AJAX is based on a JavaScript object called XMLHttpRequest, which is responsible for calling
URLs asynchronously in the backstage of a web site visit and is able to update specific parts
or the complete page, when a response is returned.
AJAX sniffing is based on that implementation and injects JavaScript code snippets in web
pages that are vulnerable to XSS attacks.
XSS (Cross Site Scripting) attacks exploit web server vulnerabilities and allow the attacker to
inject code to a webpage via HTTP payload (POST, GET parameters).
When the malicious Javascript code is injected into the web server, it overrides the
XMLHttpRequest object and starts sniffing all the requests the client makes to the server.
That way, it can intercept all the information that is exchanged between the client and the

8 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras

server and forward the data to a remote server (drop server) where they can be used for
whatever purpose the cybercriminals may want.
Just imagine, modern sites logs users via AJAX calls, which means that usernames and
passwords from all users can be collected, without having to install any malware on the
clients. That is the worst thing about AJAX sniffing.
Fortunately, this kind of attack is based on server-side exploits; therefore the main
responsibility shifts to the web servers administrator(s), who are theoretically more
technically aware of the field of information system security than a normal user.

4.2 MITB attack step-by-step

A detailed, step-by-step description of the MITB attack can be seen below:
1. The Trojan infects the computer's software, either at the operating system or application
level (infection point).
2. The Trojan installs an extension into the browser configuration, so that it will be loaded
next time the browser starts.
3. At some later time, the user restarts the browser.
4. The browser loads the extension.
5. The extension registers a handler for every page-load.
6. Whenever a page is loaded, the URL of the page is searched by the extension against a list
of known sites targeted for attack.
7. The user logs in securely on to for example https://secure.ebanking.site/.
8. When the handler detects a page-load for a specific pattern in its target list (for example
https://secure.original.site/account/do_transaction), it registers a button event handler.
9. When the submit button is pressed, the extension extracts all data from all form fields
through the DOM interface in the browser, and remembers the values.
10. The extension modifies the values through the DOM interface.
11. The extension tells the browser to continue to submit the form to the server.
12. The browser sends the form, including the modified values, to the server.
13. The server receives the modified values in the form as a normal request. The server cannot
differentiate between the original values and the modified values, or detect the changes.
14. The server performs the transaction and generates a receipt.
15. The browser receives the receipt for the modified transaction.
16. The extension detects the https://secure.ebanking.site/account/receipt URL, scans the
HTML for the receipt fields, and replaces the modified data in the receipt with the original
data that it remembered in the HTML.
17. The browser displays the modified receipt with the original details.
18. The user thinks that the original transaction was received by the server intact and
authorized correctly.

9 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras

4.3 Famous MITB malware

A few of the most well-known malware which use the MITB attack method can be found below:
-

Zeus/Zbot
Zeus/Zbot and its variants (Zeus Gameover P2P) is probably the most well-known financial
malware. It infects Windows machines and is based on the client/server model (requires a
C&C server in order to organize the attack).
It is able to steal private data from the infected computers such as usernames/passwords,
banking credentials by injecting malicious information in the users web browser.

Carberp
In 2012, the Carberp malware was reported replacing Facebook pages with fake ones
which stated that the users account was temporarily locked. In order to unlock the
account, the user had to complete a web form which included personal information like
name, email, password and also pay a 20 uKash e-voucher to confirm verification.
The cash voucher would supposedly be added to the users Facebook main account balance
but in reality, the 19-digit uKash code was transferred to the Carberp botmaster who could
use it as normal cash equivalent.

Carberps Facebook attack

4.4 What makes MITB attack difficult to defend from

Man-in-the-Browser attacks pose high risk due to the following factors:

Infection is easy

Users are accustomed to downloading several files from the Internet, as well as regularly
updating their installed applications, including their web browser and its various
extensions.
Software updates are usually either automatically approved without any user
intervention, or are not given enough attention (users tend to just click Accept on
installation prompts without noticing what the dialogs/prompts state).

10 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras

Detection is hard

All technical vectors involved in the MITB attack (extensions, scripts) are carefully crafted,
involve advanced technical knowledge and most importantly, are installed and run only on
the client-side, where normal users usually have neither the expertise nor the technical
knowledge and/or mechanisms to defend themselves.
Additionally, such malware is usually distributed with variations of the malicious code in
order to circumvent antivirus/antispyware software installed on the client machines.

Authentication and server-side fraud detection mechanisms are inadequate

MITB is not a phishing attack; it does not use fake data, e.g. malicious websites that
resemble the real ones, in order to steal users information. All data that the e-banking
servers receive are indeed sent from legitimate users and their machines.
This means that traditional security measures like authentication (username/password) or
transaction verification (by use of one-time-passwords - OTP) are rendered useless since all
of this data is sent through the browser and is therefore available to tamper with by the
installed malware.

4.5 Defending against MITB attacks

As already stated, MITB attacks are quite advanced both in concept and technology, which means
that there is no easy way to defend against them. However, there are some techniques and/or
proposals which can be used against them and are presented below:

Hardened browser

The concept of a hardened browser is based on the creation of a browser that will be able
to access e-banking services without allowing any kind of external/custom-made code
which by default might be malicious (extensions/BHOs) - to load.
Additionally, the application should be available for distribution as a single, static binary so
as to also avoid API hooking through dynamically-called external libraries.
In more detail, a hardened browser should fulfil the following requirements:
O

Statically compiled prohibit loading of dynamic libraries

Stripped no compiler symbols should be available to guide the attack

Have additional binary-protection methods - executable should be encrypted or

packed.

Allow only HTTPS connections prohibit plain HTTP

Process monitoring for launching of executables from browser

Memory-space

protection

(against

key

loggers

and/or

screen

applications)
o

White-list of valid e-banking websites

Browser can only connect to a predefined list of e-banking servers.

White-list of SSL certificates

11 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras

capturing

No addition of SSL certificates is allowed

Pros
+ No extensive work required in order to customize and strip-down industry standard
browsers (Firefox, Chrome, IE).
+ Can be easily distributed as an alternative/parallel installation for use only on secure ebanking sites.
+ Better usability than a live distribution if an update is published, users just download
the new version without need to burn new CD or re-format USB stick.
Cons
- Allowing only valid websites or SSL certificates based on white-lists might lead to having
to continuously update the executable with new/updated information. This is obviously a
not very practical and certainly quite tiring process for the end user, who would certainly
prefer not to be involved.
- Downloading the hardened browser is always susceptible to phishing the user may be
deceived and redirected to a website where a malicious/vulnerable version of the
supposedly hardened browser is distributed.

Bootable, write-protected live distributions (live-CD/DVD)

Free/Open source software distributions of client operating systems like Knoppix are
distributed freely and can be burned to a bootable, read-only media (CD/DVD).
As the media is write-protected, no installation can take place permanently, which means
that if the user wishes to perform an online bank transaction, a reboot will securely reset all
browser settings to the defaults and will allow the user to connect to the e-banking server
securely.
Pros
+ Upon reboot, a live-CD is considered highly secured.
Cons
- Browsers on live-CDs also need to be updated and patched every time the user restarts
the live-CD distribution, otherwise they run the risk of connecting to the web banking
server insecurely.
- Users dont like to reboot their computers very often. Especially as they will have to lose all
the customizations that they have made during their current session, it is quite probable
that they will eventually either not reboot which poses a security issue - or not use the
live-CD distribution at all.

12 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras

Out-of-band transaction verification

A popular method to counteract a MITB attack is the so called Out of Band (OOB)
transaction verification. This method is based on the usage of a communication channel
other than the web browser (telephone call, SMS) in which the transaction details will be
verified.

Pros
+ Works with standard devices (mobile phones) does not need additional hardware

Cons
- Can be easily subverted as well if the verification information (phone number) is stored in
the users account online.
- OOB SMS can also be broken by Man-in-the-mobile (MITMo) attacks like ZitMo (Zeus-inthe-Mobile) and SpitMo (SpyEye-in-the-Mobile).

Campaigning Training for raising awareness

Apart from the technical vectors, campaigns and training sessions from financial
institutions and government agencies help in raising user awareness about how these
attacks take place and how they could be identified.
One of the more effective methods for stopping MITB is by educating Internet users on the
extent of the threat. Malware has to enter the users computer somehow, so if users are
made aware of how this can happen, it is less likely MITB will be effective. Properly
maintained firewalls and scanning of all downloads will significantly reduce a users risk of
being a victim.

13 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras

5. Variants of MITB
The MITB attack method is actually a family of malware components designed to exploit
vulnerabilities in user browsers. Some members of the family can be classified as sub-categories in
their own right. The most important of these are presented briefly below.

5.1

Clickjacking

Clickjacking was originally described by Jeremiah Grossman of WhiteHat Security fame back in
2008. The idea here is to create a layer of authenticity, under which lies a different purpose. An
easy-to-understand example is given in http://www.troyhunt.com/2013/05/clickjack-attack-hiddenthreat-right-in.html. The gist of that example is described below.
Assume that a user is engaged in online banking activity. They are already logged into the bank
service and most probably assume that they are perfectly safe as long as this is the case.
Moreover, they expect that any content displayed while they are browsing through their account
and transaction information is originating from the bank service.
At some point the user comes across a page which includes some sort of offering, the chance for
example to win a free iPad. The user may then be tempted to give this a shot: if it comes from the
bank, it must be safe. They proceed in clicking on some link, which then results in something quite
different happening: perhaps an amount of money from one of their accounts is transferred to
another account, which the user knows nothing about. It will probably be sometime before the
user realises that somethings gone wrong.
How did this happen? The usual mechanism is quite simple. Assuming the existence of a website
that an attacker is interested in (well refer to that as website A the banks website in the previous
example), and a user that has access to that website (the user engaged in web-banking), the
success of this method depends on whether the attacker can trick the user into visiting a different
website (website B), which is under the formers control. If the users browser is running malicious
BHOs or plug-ins as a result of it having been hijacked, this is quite easy.
The user is directed to website B, after pointing their browser at a location of interest (as is
described in the MITB section). Website B is under control of the attacker, and so the latter can
render, for instance, JavaScript and multiple pages. Website A is loaded inside a separate iframe,
and is initially displayed as-is to the user. The user starts their interaction with website A as
normal. They log in and take care of their business as usual. They are never aware that something
is wrong. At any time, the attacker can place content of their choosing on website B and overlay
that content over the content of A by using a variety of ways (such as rendering the content of
website A invisible). The attacker can then take advantage of the fact that the user is still actually
interacting with A, but seeing something completely different on screen. In other words, the
attacker is tricking the user into performing legitimate bank transactions, while the user is under
the impression they are doing something completely different (such as opting for a free iPad).
L. Huang et al. in their paper Clickjacking: Attacks and Defences classify current clickjacking
attacks into 3 categories, which correspond to the ways that users are forced to issue input

14 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras

commands (i.e. clicking on a link) which result in actions different than what they believe when
they issue them (the phrase out of context is used throughout the paper to describe this
situation). These categories are:

Attacks that compromise target display integrity, meaning that the user views something
different than the legitimate website is actually showing, at the time when considering about
clicking on a link.

Attacks that compromise pointer integrity, meaning that the feedback given from the cursor or
other input device is reliable and has not been tampered with, so that the user may click on
something different than they intended.

Attacks that compromise temporal integrity, meaning that the users are not given a sufficient
amount of time to understand what they are clicking on and whether theyd really like to
proceed.

An interesting distinction is made between clickjacking attacks, and social engineering attacks,
which do not attempt to manipulate security mechanisms to breach a websites security, but
rather to manipulate people to attempt something that they normally wouldnt do. A social
engineering attack is more or less the psychological bullying of the user into giving out
information that is of value to attackers (i.e. account numbers, e-mails, passwords), because the
user is manipulated to doing so by social conventions. A simple example is a social network post
which prompts the user to like it or interact with it by posing as an organisation for the aid of
blind children. The user may just go ahead and do this to appear concerned and socially
responsible to others. The problem here arises from people being naive enough to follow a social
convention without verifying that the information they are dealing out is actually going to where
they are expecting it to this has nothing to do with clickjacking.
The most widely used clickjacking defences today use frame-bursting. Frame-bursting refers to
code provided by a webpage which prevents the page from being loaded in an iframe, as
described above. The basic principle of the code is simple:

if (top.location != this.location) {
top.location = self.location;
}
Unfortunately, frame-bursting has the major drawback of being incompatible with third-party
widgets, such as like and follow buttons. Other approaches include:

User confirmation: The user is prompted to verify his initial action.

User interface randomisation: This approach dictates that the positioning of sensitive
elements (such as buttons, links, etc.) should vary every time a page is loaded.

Opaque overlay: All cross-origin frames are rendered opaquely (a technique employed by
the Gazelle browser).

15 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras

Evidently, these approaches suffer from their own problems. User confirmation is notorious for
straining the patience of users, who feel it is burdensome to have to make multiple clicks to
complete one action. Interface randomisation violates the basic principle of keeping an interface
consistent so that users can grow accustomed and not get lost every time they try to interact with
it. Finally, opaque overlay removes all transparency from all cross-origin elements, thus deforming
many websites that are not being used for malicious purposes.

5.2

Boy-in-the-browser (BITB)

The Boy-in-the-Browser method of attack is generally considered a less-mature, dubbed-down

version of the MITB attack. There are some differences between the two approaches:

The BITB trojan redirects the traffic between the infected browser and the website of
interest to a third-party site (which may even mimic the legitimate one), where most of the
unauthorised processing takes place, either it consist of simply copying down the
information passed or altering the ongoing transactions in some form.

BITB scripts are much simpler than MITB scripts, and therefore require fewer resources.
Evolving a new BITB trojan can be a process that takes a few hours, while useful MITB
trojans usually need months to mature.

BITB trojans evolve much more frequently, and therefore anti-virus programs have more
difficulty catching up with the latest threats.

It is easier to locate the culprit once the attack has been recognised as a BITB attack, and
shut down the third-party server collecting and processing the information.

Because of their nature, BITB trojans tend to be used for one-time hit-and-run operations.
They are also used to target a greater variety of websites and are not primarily focused on
financial institutions.

The basic outline of the method of operation is this: once the BITB trojan is downloaded, it starts
tampering with the user systems host file, mainly by adding new entries to it. This results in a remapping of specific addresses to others, which point to websites controlled by the attacker (these
websites may be phishing sites or act as proxies to legitimate sites). As in the MITB situation, the
victim is completely unaware: the URLs displayed on the browser address bar are the legitimate
ones.

5.3

Man-in-the-Mobile (MITMO)

With the growth of the smartphone market, especially the Android platform, it was inevitable that
cyber-attackers would eventually target mobile phones, as they now offer more opportunities than
ever for information eavesdropping and related malicious activities. Indeed, with so many apps
hitting the market at this pace, and which involve pretty much everything from gaming to banking
to social networking, the premise is very promising for anyone who wants to gain access to
sensitive data fast and easy.
It is no surprise that the MITB malware family expanded to hit the new market. Around the start of
2011, S21Security detected a new, rather sophisticated, banking trojan, which they named
Tatanga, written in C++ and affecting banks in Spain, United Kingdom, Germany and Portugal

16 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras

using MITB functions. Almost a year later, ESET was following the progress of the same virus
family (which they in turn called Gataka), commenting on their blog how surprising it was that it
had received so little attention at the time, taking into account that the trojans stability and
functionality was bound to make it popular with fraudsters in the future. In due turn, Trusteer
noted soon after that a variant of the malware had finally migrated onto the Android platform.
The attack is not launched at the users mobile at first, but rather at the users web browser on
their desktop computer. The bait here is a new security feature that is supposed to have become
available for the Android platform, which a great number of users already have installed. The user
is prompted to download this app on their mobile by entering their number and submitting an
online request, which will then result in a text message being sent to their phone. The SMS
contains a link to install the alleged app, which is in fact the Tatanga virus.
Once installed, the virus can capture all SMS traffic, thus gaining access to all sorts of sensitive
information (including bank authorisation codes), which it transmits to the attackers.
This method of attack is very useful in circumventing the out-of-band security mechanisms that a
lot of European banks use as a verification method. The out-of-band security approach requires
the use of a separate medium to act as a verification agent for online transactions launched from a
personal computer. That medium is usually the users mobile phone, where an SMS verification
code is sent, which the user can then enter at the appropriate time to verify that they are actually
the party that initiated the transaction. By gaining access to the SMS communications the users
phone participates in, the virus renders out-of-bank authentication ineffective.

17 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras

6 Conclusions
The MITB Trojan, along with all its variations, is yet another example of the undeniable fact that
cyber-criminals have turned their attention to simple users, rather than companies and other
organisations, the majority of which are now well aware of the risks of online transactions and
tend to invest a lot in security measures and procedures.
Individual users, on the other hand, remain at best moderately informed about the risks of using
online services of any kind. They are not too familiar (or do not wish to become so) with the many
pitfalls of such endeavours as online banking. Nevertheless, they make more and more use of
available services, thus increasing the chances for attackers to gain profit. As a result, more
services become available at a growing pace, especially in the mobile phone market. End users
favour mobile applications, as they offer instant access to whatever they need, whenever they
need it. The Android app market especially is a goldmine for fraudsters who want to target
unsuspecting users: downloading and installing a mobile app is as easy as can be, and it seems
that the notion of risk in this area has yet to become common knowledge.
Clearly, this is something that has to be taken into account, and it is companies that have to take
the first step: assuming that users are well-protected behind their firewalls and anti-virus
platforms can bring down even the most sophisticated of security systems. Even approaches that
use multiple media for authorisation (such as the out-of-band verification system) can be bypassed
with the advent of mobile-targeted trojans. Raising awareness is of course imperative, but it is
worrying that most users tend to believe that it is rather the companies responsibility to ensure
secure exchange of information, and not their own.

18 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras

7 References

C. Cain, SANS Institute Analyzing Man-in-the-Browser (MITB) Attacks

(https://www.sans.org/reading-room/whitepapers/forensics/analyzing-man-in-the-browser-mitb-attacks35687)

O. Eisen, 41st Parameter Catching the fraudulent 'Man-in-the-Middle' and 'Man-in-theBrowser'

(http://www.the41.com/sites/default/files/MITM%20and%20MITB%20Overview_41st%20Parameter.pdf)

J. Dossogne, O. Markowitch Online banking and man in the browser attacks: Survey of the
Belgian situation
(http://www.ulb.ac.be/di/scsi/markowitch/publications/wic2010b.pdf)

M. Stahlberg, F-Secure The Trojan money spinner

(https://www.f-secure.com/weblog/archives/VB2007_TheTrojanMoneySpinner.pdf)

OWASP Man in the browser attack

(https://www.owasp.org/index.php/Man-in-the-browser_attack)

Trusteer/IBM How Man-in-the-Browser (MitB) Malware Works video

(http://securityintelligence.com/media/malware-man-in-the-browser-mitb-how-works-video)

ISACA Man in the Browser - A Threat to Online Banking

(http://www.isacajournal-digital.org/isacajournal/2013vol4?folio=16#pg18)

Almeida, Buyuksahin, Dimogerontakis, Tarhan Man in the browser attacks

A. Nordbo Man-in-the-browser to retrieve content of SSL connections

(https://andynor.net/static/fileupload/419/S2_SoftSecTrends_Man-in-the-browser.pdf)

Wells, Hutchinson, Pierce - Edith Cowan University Enhanced Security for Preventing Manin-the-Middle Attacks in Authentication, Data Entry and Transaction Verification
(http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1057&context=ism)

Sood, Enbody, Michigan State University The Art of Cyber Bank Robbery
(http://www.crosstalkonline.org/storage/issue-archives/2013/201309/201309-Sood.pdf)

T. Siebert Advanced Techniques in Modern Banking Trojans

(https://www.botconf.eu/wp-content/uploads/2013/12/02-BankingTrojans-ThomasSiebert.pdf)

R. Hansen, SecTheory Clickjacking

(http://www.sectheory.com/clickjacking.htm)

T. Hunt Clickjack attack - the hidden threat right in front of you

(http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html)

J. Grossman Clickjacking: Web pages can see and hear you

(http://jeremiahgrossman.blogspot.com.au/2008/10/clickjacking-web-pages-can-see-and-hear.html)

L. Huang, A. Moshchuk, H. J. Wang, S. Shechter, C. Jackson Clickjacking: Attacks and

Defences
(https://www.google.gr/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0CCoQFjAB&url=https%3A
%2F%2Fwww.usenix.org%2Fsystem%2Ffiles%2Fconference%2Fusenixsecurity12%2Fsec12final39.pdf&ei=X58CVa3SHMavygOJ-YLYDg&usg=AFQjCNH5frH5dZ0y3LeilOA4dSLda5Y4eQ)

S. Johnson Social engineering attacks: Is security focused on the wrong problem?

(http://searchsecurity.techtarget.com/feature/Social-engineering-attacks-Is-security-focused-on-the-wrong-problem)

G. Rydstedt, E. Bursztein, D. Boneh, C. Jackson Busting Frame Busting: a Study of

Clickjacking Vulnerabilities on Popular Sites
(https://www.google.gr/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CCAQFjAA&url=http%3A%
2F%2Fcrypto.stanford.edu%2F~dabo%2Fpubs%2Fpapers%2Fframebust.pdf&ei=VqECVfjICofOyQOr6YL4DA&usg=AFQjCNGJ
N_rfw1OALYJFvaoKJ0ncxARpIw&bvm=bv.88198703,d.bGQ)

19 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras

PC Tools The Boy-in-the-Browser is more than Just Mischievous

(http://www.pctools.com/security-news/bitb-trojan/)

Imperva Boy in the Browser

http://www.imperva.com/DefenseCenter/ThreatAdvisories/Boy_in_the_Browser

B. Prince Boy-in-the-Browser Attacks Come Out and Play

(http://www.eweek.com/security-watch/boy-in-the-browser-attacks-come-out-and-play.html)

InfoSecurity Magazine Man in the Browser (MITB) becomes Man in the Mobile (MITMO)
(http://www.infosecurity-magazine.com/news/man-in-the-browser-mitb-becomes-man-in-the-mobile/)

A. Klein Tatanga Trojan Bypasses Mobile Security to Steal Money from Online Banking
Users in Germany
(http://securityintelligence.com/tatanga-trojan-bypasses-mobile-security-to-steal-money-from-online-banking-users-ingermany/#.VQKojY6Ud8F)

A. Klein Man-in-the-Mobile Attacks Single Out Android

(http://securityintelligence.com/man-in-the-mobile-attacks-single-out-android/#.VQKpJY6Ud8G)

J. Boutin Win32/Gataka: a banking Trojan ready to take off?

(http://www.eset.com/int/about/blog/blog/article/win32gataka-a-banking-trojan-ready-to-take-off/)

20 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras